from the questionable-legality dept

There's some buzz in security circles today after it came out that a session at the upcoming Black Hat Conference entitled "You Don't Have to be the NSA to Break Tor: Deanonymizing Users on a Budget" by Michael McCord and Alexander Volynkin (both of whom work for Carnegie-Mellon University and CERT) had been pulled from the conference at the request of CMU.

A Black Hat spokeswoman told Reuters that the talk had been canceled at the request of lawyers for Carnegie-Mellon University, where the speakers work as researchers. A CMU spokesman had no immediate comment.

There's been plenty of speculation about what's going on, but Chris Soghoian has a pretty good thesis that the researchers likely didn't have institutional approval or consent of the users they were identifying, meaning that they were potentially violating wiretapping statutes. As he notes, running a Tor server to try to spy on Tor traffic without talking to lawyers is a very bad idea. While it hasn't yet been confirmed that this is what happened, it certainly is a pretty sensible theory.

Of course, none of that changes the fact that it's possible to identify some Tor users. But... that's also not particularly new. In fact, we've discussed in the past how the feds can identify Tor users. Tor adds an important layer of protection, but there are plenty of ways that you can still be identified while using Tor. Just ask Russ Ulbricht. The problem isn't so much Tor itself but how people use it -- and the simple fact is that most people use it in a way that will eventually reveal who they are. While it's not definite, it seems likely that this is what the talk would have revealed. Shutting it down wasn't any sort of big attempt to cover up this fact, but perhaps it was to protect the researchers and CMU (potentially) from a lawsuit for violating wiretapping laws.